Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qcDdmLWdyY3YtNm1qZs0V2Q

Partial path traversal in sharpcompress

SharpCompress recreates a hierarchy of directories under destinationDirectory if ExtractFullPath is set to true in options. In order to prevent extraction outside the destination directory the destinationFileName path is verified to begin with fullDestinationDirectoryPath. However it is not enforced that fullDestinationDirectoryPath ends with slash:

public static void WriteEntryToDirectory(IEntry entry,
                                         string destinationDirectory,
                                         ExtractionOptions? options,
                                         Action<string, ExtractionOptions?> write)
{
    string destinationFileName;
    string file = Path.GetFileName(entry.Key);
    string fullDestinationDirectoryPath = Path.GetFullPath(destinationDirectory);
...
        throw new ExtractionException("Entry is trying to write a file outside of the destination directory.");
}

If the destinationDirectory is not slash terminated like /home/user/dir it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. /home/user/dir.sh.

Impact

Because of the file name and destination directory constraints the arbitrary file creation impact is limited and depends on the use case.

Permalink: https://github.com/advisories/GHSA-jp7f-grcv-6mjf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcDdmLWdyY3YtNm1qZs0V2Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago


CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-jp7f-grcv-6mjf, CVE-2021-39208
References: Repository: https://github.com/adamhathcock/sharpcompress
Blast Radius: 10.1

Affected Packages

nuget:sharpcompress
Dependent packages: 40
Dependent repositories: 219
Downloads: 156,130,898 total
Affected Version Ranges: < 0.29
Fixed in: 0.29
All affected versions: 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.19.1, 0.19.2, 0.20.0, 0.21.0, 0.21.1, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.25.1, 0.26.0, 0.27.0, 0.27.1, 0.28.0, 0.28.1, 0.28.2, 0.28.3
All unaffected versions: 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.32.1, 0.32.2, 0.33.0, 0.34.0, 0.34.1, 0.34.2, 0.35.0, 0.36.0